[Pkg-javascript-devel] Bug#1098325: marked as done (node-dompurify: CVE-2025-26791)

[Debian Bug Tracking System]

Your message dated Mon, 21 Apr 2025 06:34:14 +0000
with message-id <e1u6kjo-001rdd...@fasolo.debian.org>
and subject line Bug#1098325: fixed in node-dompurify 3.1.7+dfsg+~3.0.5-2
has caused the Debian Bug report #1098325,
regarding node-dompurify: CVE-2025-26791
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1098325: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098325
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: node-dompurify
Version: 3.1.7+dfsg+~3.0.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for node-dompurify.

CVE-2025-26791[0]:
| DOMPurify before 3.2.4 has an incorrect template literal regular
| expression, sometimes leading to mutation cross-site scripting
| (mXSS).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-26791
    https://www.cve.org/CVERecord?id=CVE-2025-26791
[1] 
https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02
[2] https://ensy.zip/posts/dompurify-323-bypass/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: node-dompurify
Source-Version: 3.1.7+dfsg+~3.0.5-2
Done: Yadd <y...@debian.org>

We believe that the bug you reported is fixed in the latest version of
node-dompurify, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1098...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-dompurify package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 21 Apr 2025 08:21:37 +0200
Source: node-dompurify
Architecture: source
Version: 3.1.7+dfsg+~3.0.5-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1098325
Changes:
 node-dompurify (3.1.7+dfsg+~3.0.5-2) unstable; urgency=medium
 .
   * Team upload
   * Changed the template literal regex to avoid a config-dependent bypass
     (Closes: #1098325, CVE-2025-26791)
Checksums-Sha1: 
 737e7de99c855f6bbdee9cf0d45ec7a69b3fb5da 2609 
node-dompurify_3.1.7+dfsg+~3.0.5-2.dsc
 00e22cbc9ebaebf940f956bcd90cdfc59f2c9daf 4408 
node-dompurify_3.1.7+dfsg+~3.0.5-2.debian.tar.xz
Checksums-Sha256: 
 e32d2b38c4fd23ede31abeee6da7bdb4e7661b6188a764c9c275fa3942130f82 2609 
node-dompurify_3.1.7+dfsg+~3.0.5-2.dsc
 fbc874b853a70233f2282423e15a6005084f0398f423d0ff9fbfd6f3a6ba3e18 4408 
node-dompurify_3.1.7+dfsg+~3.0.5-2.debian.tar.xz
Files: 
 91b325cfcfe673552296d29e753b86d2 2609 javascript optional 
node-dompurify_3.1.7+dfsg+~3.0.5-2.dsc
 5049b4dc0579828c261b0744ee2759cf 4408 javascript optional 
node-dompurify_3.1.7+dfsg+~3.0.5-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmgF5EMACgkQ9tdMp8mZ
7ul8jQ//SHqk8Awts7llWkYzkZ9YbTre/A0s41v0ifkNtuiSgofIbgmj3CVHHpAA
Sm3Uu3Fs1QRcPj1BGBLhKKTYvGo+j2kqcDLhp24EHe8R0YXe0Ft3moTJW+oNQzl6
sQ23kvjCQA354CeXctUeNqCa3pTVCy04bh94Es54zJwBiijEEk3FNubNFtBroWRj
6GpkeZzeA+0iaiKw7WdXB9l5bXsDNRLHgh2+u4R+4UbGFAS+pTcdpvRwh7WuWf4o
PqYC1KFbloBYLyBxQl6ijRcWNg4v6zzt2AnWhHRCMZuVq/MKZVTdrOkKZT7j2g9K
22hxxAteSIbwc6Mq51WO31w92JpOZpmeW3184KtiRIqbFEHxk/ocNXd/l9SXJMDu
Gh5Bnrbu87an2RA1hYeczTDykUM7K9ns+lUR9ezPQTfzmzQy+ezgQj9OTgBQezwQ
XTTjJaHiIhRO8KljYQvWfBvCCQeeFgNeMwKytmLr8NSL/bpflxskMNH3KQoR30i6
MCUSFrwnrFB/p8sM+Xn32iRC3ZAElwFueSMST1KS4BzjEu7bp0SEaxqMSsKFBtIW
H6HA/R5oEiPCeSXyaP29uivmq/CSv76EU75uPUzDwZAcDcwLcOc/omzBn8V4iTv1
w15fL9XKN7vmPHjQMuVyXhWduy+gClVa0+epDDG2sXhvTB2OO0w=
=hIle
-----END PGP SIGNATURE-----

pgpI8lhkbzT0T.pgp
Description: PGP signature

--- End Message ---

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel